Kaminsky: DNS flaw capable of attacks on many fronts

By Robert Westervelt, News Editor 06 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom. Dan Kaminsky, director of penetration testing, IOActive

LAS VEGAS -- Speaking to more than 1,000 security professionals at the Black Hat briefings, Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be used to cause widespread damage on internal and external servers.

Kaminsky's presentation Wednesday marked the first time the full details of the vulnerability were revealed since it was publicly disclosed July 8 in a massive coordinated patch release by multiple DNS vendors.

Kaminsky, director of penetration testing at IOActive Inc., said the vulnerability enables attackers to move beyond standard server or browser attacks and into attacks on applications that pull data from the Web -- making a DNS request -- without using a browser. Email, Voice over Internet Protocol (VoIP) and analytical applications are vulnerable to the poisoning attack. Authentication servers, back-end databases and even service-oriented architectures (SOA) are at risk since they are directed by DNS, even though they may be behind a firewall.

Black Hat 2008 Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

"There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom," Kaminsky said.

IT administrators had a good reason to deploy patches quickly, Kaminsky said. An attack can be carried out in seconds by flooding the DNS server with requests until a legitimate answer is received. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of bailiwick checking to dupe the server into believing the queried domain is legit.

The good news is that 70% of Fortune 500 email servers have been patched, as well as 61% of other servers. Still, more work needs to be done, he said. The vulnerability exposed the degree to which security best practices have been ignored, Kaminsky said. Even if a patch is fully deployed, there are other ways unencrypted IP traffic can be sniffed by an attacker, he said.

"DNS should not have been capable of this much damage," Kaminsky said. "Why was such a stupid simple bug capable of breaking this many things?"

Other attack scenarios make website verification and application updates vulnerable. Kaminsky highlighted the threat to SSL certificates, which are dependent on DNS. He called the certificate system poorly managed and mostly ignored by end users. With an exception to Microsoft updates, many vendor updates are dependent on DNS for verification, he said.

SearchSecurity radio:

Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain (ISC BIND) and other vendors met at a secret summit in March to figure out how to repair the issue. Ultimately, the vendors agreed to issue a critical design patch that implements port randomization to correct the problem. Instead of randomizing on a transaction ID field of 16 bits, it now randomizes using 27-30 bits, greatly reducing the odds of someone successfully carrying out an attack, Kaminsky said. The session proved that vendors can cooperate despite competition and have a productive result, he said.

"We had a choice back at our summit in March," Kaminsky said. "We could either do point fixes or we could drop the sledge hammer and finally raise the odds from one out of 65,000 to one out of hundreds of millions."

Behind the scenes, DNS vendors and security experts are still racing to come up with a more permanent fix.

Rodney Joffe, senior vice president and senior technologist at NeuStar, a DNS vendor. Joffe sits on the Security and Stability Committee of the Internet Corporation for Assigned Names and Numbers (ICANN), and has worked on DNS security issues for years at ICANN meetings. He said it has been clear behind the scenes of how challenging it is to solve the DNS cache poisoning flaw. Although the current patch solves the problem temporarily, vendors need to push for a more permanent fix, he said.

Joffe is advocating for DNSSEC, a 12-year-old protocol that allows for the trusted signing of DNS answers.

"Over coming months and days it's going to drop down to hours and seconds again for attackers to pull off a successful exploit as they get more bandwidth available," Joffe said. "It's going to be race between getting DNSSEC deployed and getting machines and more bandwidth."

Tags: Web Server Threats and Countermeasures,  Emerging Information Security Threats,  Web Application Security,  Web Services Security and SOA Security,  Web Browser Security,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary